Sigma
Sigma rules for CVE-2023-48738
1 rules · scoped to cve · back to CVE-2023-48738
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
1 of 1
direct
medium
Potential ShellDispatch.DLL Functionality Abuse
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
view Sigma YAML
title: Potential ShellDispatch.DLL Functionality Abuse
id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9
status: test
description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
references:
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains: 'RunDll_ShellExecuteW'
condition: all of selection_*
falsepositives:
- Unlikely
level: medium
Showing 1-1 of 1